commit 8682c5ad05a9dff8ba3575ff5c4e8ceb535f6c5e
author Nan Zhou <nanzhoumails@gmail.com> Sat Nov 13 11:00:07 2021 -0800
committer Ed Tanous <ed@tanous.net> Thu Nov 18 18:05:41 2021 +0000
tree 0efb6cb0d458ae5775cf9b8887083ec7e0fca1e6
parent 997093eb732dc889bd76f7aaa65e16a2aa4d7224

meson_options: implement disable-auth; delete pam

Implemented the disable-auth option.
This patch also removed the pam option which never worked.

Tested:
With disable-auth,

```
~# wget -qO- http://localhost/redfish/v1/Systems/
{
  "@odata.id": "/redfish/v1/Systems",
  "@odata.type": "#ComputerSystemCollection.ComputerSystemCollection",
  "Members": [
    {
      "@odata.id": "/redfish/v1/Systems/system"
    }
  ],
  "Members@odata.count": 1,
  "Name": "Computer System Collection"
}
```

Without disable-auth,

```
~# wget -qO- http://localhost/redfish/
{
  "v1": "/redfish/v1/"
}
~# wget -qO- http://localhost/redfish/v1/Systems/system
wget: server returned error: HTTP/1.1 401 Unauthorized
```

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I88e4e6fa6ed71096bc866b42b9af283645a65988

http/http_connection.hpp

diff --git a/http/http_connection.hpp b/http/http_connection.hpp
index 4b4310f..fb5eac7 100644
--- a/http/http_connection.hpp
+++ b/http/http_connection.hpp
@@ -354,7 +354,7 @@
             completeRequest();
             return;
         }
-
+#ifndef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
         if (!crow::authorization::isOnAllowlist(req->url, req->method()) &&
             thisReq.session == nullptr)
         {
@@ -365,7 +365,7 @@
             completeRequest();
             return;
         }
-
+#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
         res.setCompleteRequestHandler([self(shared_from_this())] {
             boost::asio::post(self->adaptor.get_executor(),
                               [self] { self->completeRequest(); });
@@ -566,7 +566,6 @@
                     return;
                 }
 
-                boost::beast::http::verb method = parser->get().method();
                 readClientIp();
 
                 boost::asio::ip::address ip;
@@ -575,8 +574,11 @@
                     BMCWEB_LOG_DEBUG << "Unable to get client IP";
                 }
                 sessionIsFromTransport = false;
+#ifndef BMCWEB_INSECURE_DISABLE_AUTHENTICATION
+                boost::beast::http::verb method = parser->get().method();
                 userSession = crow::authorization::authenticate(
                     ip, res, method, parser->get().base(), userSession);
+#endif // BMCWEB_INSECURE_DISABLE_AUTHENTICATION
                 bool loggedIn = userSession != nullptr;
                 if (loggedIn)
                 {

include/authorization.hpp

diff --git a/include/authorization.hpp b/include/authorization.hpp
index 40a6119..202628c 100644
--- a/include/authorization.hpp
+++ b/include/authorization.hpp
@@ -223,7 +223,8 @@
 #endif
 
 // checks if request can be forwarded without authentication
-static bool isOnAllowlist(std::string_view url, boost::beast::http::verb method)
+[[maybe_unused]] static bool isOnAllowlist(std::string_view url,
+                                           boost::beast::http::verb method)
 {
     if (boost::beast::http::verb::get == method)
     {
@@ -255,12 +256,13 @@
     return false;
 }
 
-static std::shared_ptr<persistent_data::UserSession> authenticate(
-    boost::asio::ip::address& ipAddress [[maybe_unused]],
-    Response& res [[maybe_unused]], boost::beast::http::verb method,
-    const boost::beast::http::header<true>& reqHeader,
-    [[maybe_unused]] const std::shared_ptr<persistent_data::UserSession>&
-        session)
+[[maybe_unused]] static std::shared_ptr<persistent_data::UserSession>
+    authenticate(
+        boost::asio::ip::address& ipAddress [[maybe_unused]],
+        Response& res [[maybe_unused]], boost::beast::http::verb method,
+        const boost::beast::http::header<true>& reqHeader,
+        [[maybe_unused]] const std::shared_ptr<persistent_data::UserSession>&
+            session)
 {
     const persistent_data::AuthConfigMethods& authMethodsConfig =
         persistent_data::SessionStore::getInstance().getAuthMethodsConfig();

meson.build

diff --git a/meson.build b/meson.build
index bdfa36e..01417f2 100644
--- a/meson.build
+++ b/meson.build
@@ -72,7 +72,6 @@
   'insecure-tftp-update'                        : '-DBMCWEB_INSECURE_ENABLE_REDFISH_FW_TFTP_UPDATE',
   'kvm'                                         : '-DBMCWEB_ENABLE_KVM' ,
   'mutual-tls-auth'                             : '-DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION',
-  'pam'                                         : '-DWEBSERVER_ENABLE_PAM',
   'redfish'                                     : '-DBMCWEB_ENABLE_REDFISH',
   'redfish-bmc-journal'                         : '-DBMCWEB_ENABLE_REDFISH_BMC_JOURNAL',
   'redfish-cpu-log'                             : '-DBMCWEB_ENABLE_REDFISH_CPU_LOG',
@@ -263,7 +262,7 @@
 # automatically during the configure step
 bmcweb_dependencies = []
 
-pam = cxx.find_library('pam', required: get_option('pam'))
+pam = cxx.find_library('pam', required: true)
 atomic =  cxx.find_library('atomic', required: true)
 openssl = dependency('openssl', required : true)
 bmcweb_dependencies += [pam, atomic, openssl]

meson_options.txt

diff --git a/meson_options.txt b/meson_options.txt
index 6c0f643..e2addbc 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -1,4 +1,3 @@
-option('pam', type: 'feature', value : 'enabled', description : 'Built static libraries')
 option('yocto-deps', type: 'feature', value: 'disabled', description : 'Use YOCTO dependencies system')
 option('kvm', type : 'feature',value : 'enabled', description : 'Enable the KVM host video WebSocket.  Path is \'/kvm/0\'.  Video is from the BMC\'s \'/dev/video\' device.')
 option ('tests', type : 'feature', value : 'enabled', description : 'Enable Unit tests for bmcweb')